Dear openssh developers, We're about to switch several hundred Unix/Linux hosts from the traditional sshd 1.2.31 to OpenSSH, but we have noticed a major problem in the way authorized keys authentication is performed by sshd. For security reasons the nfs server does not grant root permissions to most workstation mounts. Home directories are located on nfs mounted disks. Here's an example how root fails to read other users file: # cat ~pseudouser/.ssh/authorized_keys > /dev/null cat: 0652-050 Cannot open /pseudo/pseudouser/.ssh/authorized_keys. # su - pseudouser $ cat ~pseudouser/.ssh/authorized_keys > /dev/null $ On /var/adm/syslog/auth the error looks like this: "Apr 15 18:02:12 foobar sshd[23892]: Authentication refused: realpath /pseudo/pseudouser/.ssh/authorized_keys failed: Permission denied" So the problem with OpenSSH:s implementation of sshd is: - sshd expects to be able to read public authorized_keys file from other user's home directory as root user. - Other implementations of sshd have no similar problem since user id is changed appropriately to the user trying to authenticate with rsa or other key. Problem has been verified to occur on following platforms: - 3.0.2p1 / Solaris 8 - 3.0.2p1 / AIX 4.3.2 - 3.2cvs / AIX 4.3.2 Most likely the problem will appear on other architectures as well. I suggest checking functions like temporarily_use_uid(). A patch for 3.0.2p1 is needed as well as for 3.2cvs. Sincerely, Samuli Kajantola Unix administrator Helsinki University of Technology, Computing Centre
i think i've seen this before and it was related to the realpath() implementation....
Yup, realpath() was broken for AIX, probably Solaris as well. HUT/CC is going to install OpenSSH for all OS's with BROKEN_REALPATH defined. I think OpenSSH should reverse the logic for BROKEN_REALPATH, eg. define SAFE_REALPATH only for OS's that have a working realpath(), otherwise use openbsd-compat/realpath.c by default.
Created attachment 86 [details] One-liner patch for broken AIX realpath(), should apply to any recent version
Created attachment 87 [details] Alternative patch for realpath(); reverse the logic for BROKEN_REALPATH
The AIX patch has been applied, but I am reticent to apply the SAFE_REALPATH patch. Is there any runtime test we could do to ascertain whether the libc provided realpath() is broken?
Hmm, there could be. Anyway, it's more important to have working code than worry about bloating the executable with custom version of realpath(). At least XEmacs and SSH-3.1.0 directly use their own versions of realpath(), instead of trying to keep up with a list of broken architectures or bloating configure.ac with complex runtime tests etc. So, how about just using always openbsd-compat/realpath.c?
I would perfer a rewiew of our realpath.c if we are going to always use it. As the person who put the code in I know I made a few minor short cuts to avoid importing in a ton of stuff from OpenBSD to get it to work under NeXT. - Ben
FWIW, I reported this to IBM Support, and they seem to agree realpath() is broken. I have received a patched libc.a, which in light testing seems to resolve the problem: public key login with perms 770 on ~/.ssh works.
Ok.. I'll mark this as resolved since IBM agreed it was a bug. I've looked over our realpath() and it should be fine (only minor modifications) for all cases. I could be conviced into having a ./configure --use-our-realpath or something like that. And have it documented to discuss nfs and realpath(). I'm not inclined to always use it.
*** Bug 29 has been marked as a duplicate of this bug. ***
*** Bug 237 has been marked as a duplicate of this bug. ***
I'll re-open this since it is a Solaris issue. This should be breached with Sun to see if there is a patch level that solves this.
Any followup on this, Ben?
There really is no way to detect this without root.
Do we know what platforms are broken? If so, just put it in the big case() statement...
Ok.. I did the audit and remember what I changed. The change I made may be racey since I replaced the fchdir() and added getcwd() to ensure more portable (AKA worked on NeXTStep). The only other platform I know that may be affected is Solaris (which currently does not define it). does Solaris and AIX support fchdir()? If so I'd love to revert out of my hack. I forsee NeXTStep going away very soon. So it may be a good time.
AIX (checked back to 4.2.1) and Solaris (checked back to 2.6) both have fchdir().
The realpath() in the compat library has been updated to use fchdir if available. Possessors of systems with realpath implementations that don't work are advised to "./configure --with-cflags=-DBROKEN_REALPATH" and report the brokenness by opening a bugzilla bug against the platform in question, so it can be added to the blacklist.
With the release of OpenSSH 4.0, these bugs are now closed. For details, see: http://www.openssh.com/txt/release-4.0